Skip to content

AMD Security Technologies

See here for a list on HP SharePoint for AMD PRO Experiences. See here for slides on AMD PRO features. See here for a breakdown on Ryzen PRO vs Non-PRO CPUs.

Included in All Ryzen CPUs

AMD Platform Secure Processor (PSP)

The AMD Platform Secure Processor is a dedicated on-chip security subsystem embedded in every AMD SoC. It implements a hardware root-of-trust and anchors the secure boot chain. At power-on, the PSP’s immutable Boot ROM verifies and initializes the rest of the firmware (BIOS/UEFI), ensuring only signed code runs. The PSP contains a high-performance cryptographic co-processor (CCP) with hardware random number generator (RNG) and key-generation engines (which transforms the random number into usable cryptographic keys). It manages security keys (e.g. for Memory Guard and TPM functions) and provides a Trusted Execution Environment (isolated SRAM/MMU) for sensitive operations.

Additional PSP features include:

  • Anti-rollback for its own firmware - by tracking a monotonic security/version counter and rejecting any attempt to load an older, even if correctly signed firmware image. Rollback attacks are a common way to reintroduce known flaws; by design, the PSP’s boot ROM and update logic will only accept firmware at or above the recorded secure version, ensuring fixes and mitigations remain in effect.
  • Watchdog timer - monitor the system for hangs or failures during critical security operations (such as secure boot or firmware validation). If the PSP detects that a process has stalled or exceeded a predefined time limit, the watchdog timer triggers a corrective action; usually a system reset or recovery routine, to prevent the platform from remaining in an insecure or unstable state.
  • Cloud bare metal recovery - support remote restore and recovery of a system at the firmware level, even when the operating system is not functional. In practice, this means that if a device becomes corrupted or unbootable due to firmware tampering, failed updates, or malware—the PSP can initiate a recovery process over the network (often through OEM or enterprise management tools).

In effect, the PSP on AMD serves many roles of a TPM and Intel’s Management Engine, but tailored for AMD architecture. It verifies BIOS integrity and supplies secure services to the OS (e.g. key storage, sealed secrets). Importantly, on AMD client silicon the PSP (referred to as AMD Secure Processor 2.0) works alongside Microsoft Pluton: the PSP anchors the initial firmware trust, while Pluton provides a Windows-managed root-of-trust at the OS level.

See AMD Secure Processor (PSP) vs Intel Management Engine (ME/CSME) for Intel Comparison.

AMD Shadow Stack (Hardware Control-Flow Protection)

Note

Included in Ryzen Zen 3 CPUs and later

AMD implements Intel-like CET (Control-flow Enforcement Technology) called Shadow Stack (see here for more info on what shadow stacks are). With Zen 3 (e.g., Ryzen 5000) and newer, AMD processors support a hardware-enforced shadow stack: on each function call the return address is stored in a separate protected stack in hardware. When a function returns, the processor checks the return address against this protected shadow copy, preventing return-oriented programming (ROP) and other stack-skipping exploits. Windows 11’s “Hardware-enforced Stack Protection” (HVCI/CET) uses this feature. Shadow Stack on AMD works transparently and helps prevent kernel and user-mode control-flow hijacks. This is complementary to Microsoft’s software CFI mechanisms (CFG, Control Flow Guard) and is a requirement for Secured-Core PCs on AMD hardware. Notably, Intel also supports CET on Tiger Lake and later, so this parity means both AMD and Intel now have hardware stack protection (no clear advantage except timing of adoption).

Ryzen PRO CPUs Only

AMD Memory Guard (Full-System Memory Encryption)

AMD’s branding for Secure Memory Encryption (SME)

All DRAM contents are encrypted on-the-fly by dedicated AES (Advanced Encryption Standard) engines in the memory controllers (directly on silicon, more power efficient, more secure), using a random 128-bit key per boot that is never exposed to software (whitepaper, see page 7). This protects against cold-boot attacks and physical memory snooping, since even if an attacker freezes and dumps RAM, the data remains encrypted. Key management is handled by the AMD Secure Processor (PSP). Performance overhead is very low: AMD reports <1 % CPU cost (≈3–4 % overall system), and real-world tests show only modest slowdowns (typically a few percent, up to ≈10 % on heavy memory-bound tasks). Memory Guard is supported on AMD Ryzen™ PRO, Threadripper™ PRO, and Athlon™ PRO platforms (with OEM enablement). In enterprise deployment it’s typically enabled by default on Secured-core PCs, and can be turned on/off in firmware (as seen on HP business laptop BIOSes). Combined with BitLocker (drive encryption) and TPM-based authentication, it helps secure data even if a laptop is lost or stolen.

AMD Platform Secure Boot RYZEN

AMD Platform Secure Boot is a mechanism tying each CPU to an OEM’s firmware signing key (via one-time fuse). The PSP verifies that the UEFI firmware is signed by the OEM before booting. On AMD PRO systems, if this is enabled, the processor will refuse to boot with any BIOS not signed by the OEM. This ensures BIOS/UEFI integrity. In practice, HP implements this via its “Sure Start” (self-healing BIOS) which leverages the PSP/secure boot to detect tampering and recover a known good BIOS. The chain of trust extends from the AMD Secure Processor to the HP BIOS to the Windows bootloader.

AMD PRO Manageability (DASH-based Remote Management)

AMD PRO Manageability provides enterprise-grade out-of-band (OOB) and in-band management for AMD Ryzen PRO processors using the open DMTF DASH (Desktop and mobile Architecture for System Hardware) standard, enabling secure remote control of desktops and mobiles even when powered off or unbootable.

On Client/Endpoint Services

  • AMD Integrated Management Technology (AIM-T) implements DASH on AMD hardware via a dedicated SoC core, supporting wireless (Wi-Fi) and wired (Ethernet) connections with tools like Provisioning Console and DASH CLI. Must be enabled via BIOS (or via company PC image that enables it by default). The AIM-T core operates independently with its own minimal power domain, firmware, network stack (via dedicated WLAN/LAN modules like Realtek Ethernet). AMD Pro SKUs only.
  • AIM-T Manageability Service (AMS) - runs as a Windows service on AMD PRO systems to enable DASH-compliant out-of-band management via AIM-T hardware. RYZEN PRO CPUs ONLY

On Site IT Admin Services

  • AMD Management Console (AMC) - GUI application tailored for small and medium-sized businesses (SMBs), supporting monitoring and control of up to 500 DASH-compliant AMD PRO client systems.
  • DASH Command Line Interface (CLI) - scripting tool that provides a command-line shell for out-of-band and in-band management tasks on DASH-enabled systems. It enables automation of power management, asset inventory, alerts, firmware updates, and more. Its lightweight and ideal for batch operations or integration into custom workflows.

Off Site IT Admin Services

  • AMD Cloud Manageability Services (ACMS) - extends AIM-T/DASH for remote management of off-network AMD devices, aiding hybrid work scenarios. ACMS is a lightweight agent (deployable on Windows Server or Ubuntu) that acts as a secure proxy or broker, allowing IT admins to reach DASH-enabled AMD PRO systems over the public internet via encrypted HTTPS/TLS channels. It requires initial provisioning (via AMD Provisioning Console or APC tool) to configure cloud access details like enterprise network endpoints and Wi-Fi credentials (up to WPA3 SAE for enhanced security).

Its purpose is to simplify IT administration across device lifecycles— from provisioning and inventory to power control, BIOS updates, and recovery—while avoiding vendor lock-in through support for third-party NICs like Realtek or Qualcomm. IT teams in enterprises, especially those with mixed-vendor fleets, use it to reduce downtime, lower support costs, and maintain security in distributed or remote work environments. IT Administrators can monitor and access AMD PRO client systems in a number of ways:

AMD PRO Manageability supports up to 35 DASH profiles, which are configurations or capability profiles that can be applied to devices, enabling different management behaviors  per device or scenario to tailor management behaviors, such as enabling specific features or security levels.). It provides both in-band (via software agents/plugins) and out-of-band capabilities.

NOTE THE AMD PRO MANAGEMENT SOFTWARE IS ALL FREE - You just need supporting hardware (AMD PRO CPUs)

Out-of-Band Management
  • Runs via embedded NIC firmware for remote access independent of the OS, however full DASH/AIM-T uses SoC + NIC integration.
  • Implementing Out-Of-Band PC Management with DASH on HP Business Systems with AMD Chipset
  • Implementing Out-Of-Band PC Management with AMD PRO Manageability on HP Business Systems with AMD Chipset
  • Includes:
    • Power control (on/off/reset) - Works on powered-off or crashed systems.
    • Allows BIOS/firmware configuration/updates.
    • Keyboard-Video-Mouse (KVM) redirection - lets an administrator remotely interact with the system’s console (BIOS, UEFI, OS) as if physically present.
    • Hardware Inventory - View CPU, memory, storage, and other hardware details remotely.
    • Alerts & Monitoring - Receive notifications about hardware health or security events.
    • Remote Media Redirection - Ability to mount ISO images or virtual drives remotely for OS installation or recovery (achieved by redirecting I/O requests from the system’s BIOS/OS to the remote media source over the network, pretends the ISO is a local CD/DVD/USB drive).
  • Typically requires authentication, encryption (TLS, Transport Layer Security), and role-based access control to prevent unauthorized access.
  • Often operates on dedicated management port or VLAN to isolate traffic from the production network.
In-Band Management

Operates through the system’s operating environment and software stack, allowing IT administrators to monitor and control endpoints when they are online and connected. While AMD Manageability primarily emphasizes out-of-band (OOB) capabilities via DASH, the AMD Management Plug-in for SCCM (AMPS, v7.x) extends Microsoft System Center Configuration Manager (SCCM) and Microsoft Endpoint Manager (MECM/Intune) to access DASH features via OS-level agents on Windows systems. It enables tasks like remote KVM redirection, hardware/software inventory (with richer OS context), power control, patching, and compliance checks directly within the SCCM console.

The Intel's equivalent is called AMT/vPro (Active management technology) and is proprietary, while DASH is open/multi-vendor.